Deborah Blyth was at a local CISO conference, listening to Jonathan Trull address challenges as the then-CISO for Colorado. “When I started as CISO, I had a budget of $6,000…. to secure the whole state of Colorado,” he said. Trull went on to describe how he created the award winning “Secure Colorado” strategy to increase his budget -- a budget that Blyth would later inherit when she became the next state of Colorado CISO.
We knew more funding was needed to adequately secure the state’s infrastructure from the volume of daily attacks. And we needed our first dollars invested to show an immediate return.
I knew that asking the Colorado General Assembly for millions of dollars was going to be a hard sell. I needed to have a firm strategy demonstrating that the request was realistic and essential, and that the investment would improve the state’s security.
Security is a team sport. I needed executive level buy-in from all areas of the organization. To achieve support for Secure Colorado, I formed the Colorado Information Security Advisory Board. The advisory board included representatives from state government and nationally recognized cyber security experts. The advisory board validated the value of Secure Colorado and lobbied for its implementation. Secure Colorado would not have been possible without that.
The backbone of Secure Colorado is the state’s adoption of the Critical Security Controls for Effective Cyber Defense. The adoption of a particular control framework was, by far, one of the most controversial decision points. Although there are many excellent, comprehensive control frameworks available, I needed controls that had a track record of great results in a short amount of time. With a small staff and a tight budget, I needed every row of the proverbial oar to achieve maximum results. In the end, the decision was easy. I chose the critical security controls to be our road map for the next three years. The Advisory Board agreed.
With controls in place we needed metrics to measure success. Unlike CEOs and CFOs, CISOs generally lack an agreed-upon set of metrics, which hurts a security program. We built in 12 cyber security metrics, approved by the Advisory Board, State CIO, and used by the legislature to track performance. Those metrics showed that for x amount of dollars we achieved y results.
Finally, we needed to deliver meaningful results. Upon receiving executive and legislative branch approval and funding, we immediately got to work. We knew what gaps we needed to close. So we procured new technologies, retrained staff, managed change, revised policies and procedures, streamlined operational processes, and measured our progress weekly. Additionally, managing change was extremely important. Many adopted the new approach immediately, most waited to see success, and others resisted no matter what. Managing each segment appropriately and not letting the minority of resistors impact overall success was key.
I believe we achieved our overall goal for Phase I of Secure Colorado and established the foundation for future success.
When I became the CISO of the State of Colorado in August 2014, we were one month into Phase II of Secure Colorado. The budget had already been established and everyone was familiar with the strategy and moving forward with appropriate projects.
Phase I implemented the first five Critical Security Controls, giving us a measurable improvement in our security program. While Phase I focused primarily upon hardening the state from Internet-based attacks, subsequent phases are meant to expand deeper into the network’s internal systems, applications and databases, as well as training, testing, and incident response.
It’s a great roadmap but not overly prescriptive - Secure Colorado directs progressive improvements to our security program, while providing flexibility to adjust as threats emerge or business changes require.
With an approximate 18-month budgeting cycle, only a few months into the role, I was looking ahead to 2017 and future iterations of Secure Colorado! In reviewing the accomplishments of Secure Colorado Phase I, and envisioning the successes of upcoming phases, some realities began to materialize. New technology we’d acquired ensured that we were “seeing” more of the environment. However, this also meant that the monitoring team had a deluge of information they couldn’t keep up with.
Therefore, additional phases will address the need to help filter events through a lens of threat intelligence, while ensuring we are appropriately staffed and trained to respond quickly. 2014 certainly demonstrated that any enterprise, regardless of size and security investment, could be breached. Therefore, we recognize that focusing on early detection and response is key.
I’m excited about the Secure Colorado project and the enhanced data security it has brought to the citizens of Colorado! I look forward to building upon the program for many years of year-over-year improved security.
About the Authors
Jonathan Trull is the former CISO for the State of Colorado, and is currently the CISO for Qualys. In his tenure at the State of Colorado, Jonathan was responsible for the development of the Secure Colorado program and for the formation of the state’s first Cyber Crime Task Force.
Deborah Blyth became the CISO for the State of Colorado in August 2014. Deborah is responsible for delivering subsequent phases of Secure Colorado to achieve measurable security improvements, as well strategic planning to ensure ongoing investment into the cyber security program.
This article is published as part of the IDG Contributor Network. Want to Join?